Full Report
Security researcher Yohanes Nugroho has released a decryptor for the Linux variant of Akira ransomware, which utilizes GPU power to retrieve the decryption key and unlock files for free. [...]
Analysis Summary
# Tool/Technique: Akira Ransomware Decryptor (GPU-Bruteforce Tool)
## Overview
This refers to a publicly available tool, released on GitHub, designed to decrypt files encrypted by the Akira ransomware. The decryptor leverages high-performance GPUs to brute-force the encryption keys, drastically reducing the time required compared to CPU-based methods.
## Technical Details
- Type: Tool (Cryptographic Recovery/Recovery Tool)
- Platform: Implied compatibility with systems encrypted by Akira ransomware (where the key recovery process runs, likely Windows or Linux environments where the GPU hardware is accessible).
- Capabilities: Brute-forcing the RSA-4096 encryption keys used by Akira ransomware by testing billions of possible timestamps.
- First Seen: Not explicitly stated, but the decryptor was recently released.
## MITRE ATT&CK Mapping
*Note: Since this is a decryption tool, it relates to defenses against adversary actions, but the underlying mechanism relates to key recovery.*
- **TA0012 - Impact**
- T1490 - Inhibit System Recovery (The decryptor attempts to reverse this impact)
## Functionality
### Core Capabilities
- **Key Recovery:** Attempts to brute-force the session keys encrypted with RSA-4096 and appended to the encrypted files.
- **Timestamp Analysis:** Leverages millisecond-level precision in timestamps found in encrypted file metadata, requiring the testing of over a billion possible time signatures per second.
- **Multi-threading Consideration:** Accounts for the multi-threading used by the Linux variant of Akira ransomware, which encrypts files simultaneously.
### Advanced Features
- **GPU Acceleration:** Utilizes cloud GPU services (specifically mentioning success with sixteen RTX 4090 GPUs) to achieve high testing rates (e.g., enough power to confirm key effectiveness in roughly 10 hours).
- **Benchmark Profiling:** Relies on creating predictable hardware encryption profiles based on benchmarks to narrow down the search space for brute-forcing timestamps.
- **Log File Utilization:** Uses system or application log files, shared by victims, to establish the initial execution time of the ransomware, which aids in limiting the brute-force scope.
## Indicators of Compromise
- **File Hashes:** Not provided in the context.
- **File Names:** Not provided in the context.
- **Registry Keys:** Not provided in the context.
- **Network Indicators:** The tool utilizes cloud GPU services (RunPod & Vast.ai mentioned as testing grounds) to perform the brute-force work, but these are infrastructure used by the defender/researcher, not the attacker's C2.
- **Behavioral Indicators:** Use of powerful, dedicated GPU resources for intensive computational tasks aimed at reversing cryptographic operations.
## Associated Threat Actors
- Akira Ransomware Group (The target of the decryption effort).
- Researcher Yohanes Nugroho (The developer of the free public decryptor).
## Detection Methods
- **Signature-based detection:** Not applicable to the legitimate decryption tool, but signatures for the Akira ransomware itself would target the encryption phase.
- **Behavioral detection:** Detection of extremely high utilization of GPU resources coupled with file I/O operations, potentially indicative of either heavy encryption or decryption efforts.
- **YARA rules:** Not provided in the context.
## Mitigation Strategies
- **Prevention:** Maintain offline/immutable backups to avoid the need for decryption.
- **Hardening recommendations:** Patching systems promptly to prevent initial compromise vectors exploited by Akira (though the article focuses on post-encryption recovery). Running security tools with elevated privileges only when necessary, as the creation of predictable hardware profiles requires system insight.
- **Caution:** Backup all encrypted files before attempting decryption, as using the wrong key could corrupt the data.
## Related Tools/Techniques
- Akira Ransomware (The malware being targeted).
- Other specialized GPU-based brute-force recovery tools for various ransomware strains.